"One
who shell live only to crack, will finaly be cracked by his own weaknesses"

Cracking A Win32 Web
Utility('Patching The Hell Out Of It')

Written by Bengaly

Introduction

SolidView allows interactive 3D
Shaded or wire frame viewing of Solid Model files (in STL and other
supported formats) from any angle or direction.SolidView/Lite is the FREE player
used to distribute 3D Communications to anyone.Extensive measurement capabilities
including volume, surface area and overall dimensions as
well as user directed linear , radial and angular
measurements are provided.In addition, SolidView provides the ability
to section and look inside an object .

About this protection

This program is registered by selecting the 'Help' button, then
the 'Register' button.
You fill only 9 digits of key.
:
Registration Key:

The Essay

Hello and welcome to my 27'th Tutorial.
This essay is not hard, and talks about Patching mostly (yes again)
;=)

Run the program, several times and take notes on how it's working, write
useful text that
You will be able to use as a 'weak points' on our target, mostly enter
invalid registration key
And take notes on the message that appear and write it down.
As usual we first make a 'Dead Listing' of our target in W32Dasm ,
this could take some time,
So grab some Drink i prefer Petel ;=) but any one should do the work.
after disassembly we will have a visual code that we can work on.

So let us search for this string in the 'String References: '
Incorrect Key .'
There are allot of text to look for, so goto value 'I' and look at
the bad message here:

Not so hard...we find the ' Beggar Off ' routine, now in order to know
which caller has
Brought us here we need to look at the un/contdional jump references..
It tell us there is 1 caller to this routine and it's being done at
address: 0062B3CENow this tut is not just "read that, do that,
patch this" this is not how u learn cracking,In order to crack anything from easy->hard apps
you need alittle 'zen' and ofcourseCracking knowledge and some ASM.So this tut is not like a book it's like a way
of thinking..Ok..let us think a little about this Protection
and how do we go throw it!

The main System Our App work:

1.the app is telling
us that we need to enter 9 digit numbers..2.the program takes our fake 9 digit serial
and do some checking with it those are:
a: checking the length of the serial, Must be 9 digits.
b: the serial must be 'valid'
c: check our fake serial with Valid serial that produced by
the program
3.if the compare was bad program will
bring us 'Bad MessageBoxA', else we register the prog

Got the general Idea??
Since our app here don't produce an serial from name (or at least i
think it doesn't)
So if u wish to do some 'Serial Fishing' then Use softice with "Bpx
GetWindowTextA" much easier.
To break and start tracing the code!
Else we do Parching :=)

Method : Patching

Weak Points:

Weak points we can find from the main system our beloved app use is:
1. attacking from the backdoor (using beggar_off_cracking) message
box and reverse it
2. changing flag (if there is any).

* Flag is a way the program think
if it's registered / unregistered, it reads the flag (0 = bad / 1=good)*That's in the register (mostly
Eax) and decide from the algo if it's 0/1 mostly by CMP instruction.*So a fake serial will produce
flag = 0 (EAX = FFFFFFFF), else it's registered (EAX = 00000001)

In order to find which 'Weak Points' we will enter
to the referenced jump : 0062B3CEW32Dasm will take us here:

Ok now it's time you look at the "Weak Points" i mentioned earlier..
What you think will be the solution here??
Guess you right (or wrong), the weak point is method 1 the "BackDoor"

Now on this position it is very clear to us what we are going to do!
It seems that the JNE instruction is triggered if the fake serial is
not matched to the real one
And every time it does not match it triggers and jump to the bad message
box.
So we can reverse the instruction that no metter what / which fake
serial you will be enter
The program always jump to the Good_Guy routine (Registered)!
Now be with cursor on the JNE instruction and look down at the buttom
of W32Dasm,
You will see this:

We need only the marked in blue Hex offset!
So open up an Hex Editor (Hview here), and look for those Hex offset
address, You will find your
Self in the same place as we saw in the Dissasembler.
Now just edit the JNE instruction to JE instruction.
I'll show you which bytes to search later.
Now our program except the register key just fine...no problem

Job Done so far.

Method : Hex Edit

But still when you do 'About' u will see "UnRegistered"...that's
not good..
Cuz the program think it's registered but the when loading it from
the registry file, it's still
A shareware program and prints "UnRegister"...
Easy to be fooled as well...not so hard here we go..
The "Unregistered" that it's prints is just a single Bytes (hex) that
are implanted in the exe un less u register It and it change it to "Register"

Load up Win Hex (much better when it's visual)...do text search for
"unregistered"
Now just Change it to "Registered"
A few Null (" ") just to kick "Un" ;D
Save File...
ReLoad the program...Cracked

Job Done!

Patches

First Patch Registration Key Code:

Search for those bytes: 85C07514
And replace them with: 85C07414

Second Patch : 'UnRegistered - > Registered'

Search for those bytes: 556E72656769737465726564
And replace them with:
000052656769737465726564

Not so hard..you will get it after allot of Practice!!!

Oh And..

Do I really have to remind you all that
by buying and NOT stealing the software you use will ensure that these
software houses will continue to produce even *better* software for us
to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.

If your looking for cracks or serial
numbers then your wasting your time, try searching elsewhere on the Web
under Warez, Cracks and etc.

+SandMan...

Greetings

I would like to say thank you to all who has supported me, and helped
me through my cracking days: